weilThe disclosure of yet another massive cyber breach at yet another company has become a weekly occurrence. These recurring events have a number of implications, which include not only what companies need to do to try to prevent these kinds of events, but also how companies need to prepare in order to be able to respond if they are hit with a cyber breach. In the following guest post, Paul Ferrillo and Randi Singer of the Weil Gotshal & Manges law firm describe how company officials can evaluate their company’s cyber breach incident response and business continuity plans. A version of this article was previously published as a Weil client alert.

 

I would like to thank Paul and Randi for their willingness to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest blog post. Here is Paul and Randi’s article.

 

************************************************ 

 

“By the time you hear thunder, it’s too late to build the ark.” – Unknown

In November 2014 – just two weeks after Admiral Michael Rogers, director of the National Security Agency, testified to the House Intelligence Committee that certain nation-state actors had the capability of “infiltrating the networks of industrial-control systems, the electronic brains behind infrastructure like the electrical grid, nuclear power plants, air traffic control and subway systems”[i] – Sony Pictures announced it had experienced a major cyber-attack, one many sources believe was likely perpetrated by or on behalf of a nation-state. This destructive cyber-attack was a game-changer for corporate America because it became clear that hackers are not simply focused on credit card numbers or personal information. Indeed, the attack on Sony was designed to steal the Company’s intellectual property, disseminate personal emails of high-ranking executives, and destroy Sony servers and hard drives, rendering them useless.[ii]

What the events of 2014 proved to corporate America is that there are no fool-proof methods for detecting and preventing a devastating cyber-attack. As FBI Director James Comey eloquently put it, “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”[iii]

Thus, it is absolutely critical to understand what kind of data a company collects, how the company uses, stores, shares, processes, protects, and disposes of information, and how to develop and evaluate a plan to respond to attacks that target these data. Proper planning can mean the difference between a news story that begins, “Sony has just announced that Sony Pictures Entertainment co-chairman Amy Pascal is stepping down from her post,”[iv] and one that announces a major cyber-attack, but concludes, “Anthem said it doesn’t expect the incident to affect its 2015 financial outlook, ‘primarily as a result of normal contingency planning and preparation.’”[v]

Proper planning includes incident response and information management business continuity planning, which are mission-critical. They are (or should be) part of a Board’s enterprise risk management duties, and they are particularly vital for certain federally-regulated entities with an obligation to protect consumer and client information and to keep it private. We have written in-depth elsewhere about incident response plans and their elements.[vi] Here, we set forth a high-level summary designed to help evaluate a company’s incident response and business continuity plans.

Incident Response Planning – You Can’t Defend What You Can’t See

            Given that 97 percent of the IT systems of companies surveyed globally have been breached,[vii] the question of how to protect a network from a breach is effectively a moot point. The better question is, how do you respond in the event of a breach when it occurs despite your best prevention efforts?

Incident response planning is exactly what it sounds like – a plan to detect and respond to indicators or actual evidence found on a network server or alert system that a malicious intrusion may be occurring.

In general, there are many indicators or precursors of a potential cyber-attack. Though there are far too many to list, potential triggers for a robust incident detection and response plan include:

  • A network intrusion detection sensor alerts when a buffer overflow attempt occurs against a database server.
  • Antivirus software alerts when it detects that a host is infected with malware.
  • A system administrator sees a filename with unusual characters.
  • An application logs multiple failed login attempts from an unfamiliar remote system.
    • An email administrator sees a large number of bounced emails with suspicious content.
    • A network administrator notices an unusual deviation from typical network traffic flows.[viii]

This non-inclusive list, based on the National Institute of Standards and Technology Computer Security Incident Handling Guide, illustrates one of the most basic challenges of working with advanced incident intrusion detection systems: they often generate thousands, if not tens of thousands of alerts of potential intrusions into a company’s computer network every day. In fact, one recent report notes that potentially actionable (i.e., “we better take a look at this”) malware intrusions could number in the thousands per day.[ix]

Even in the largest companies, resources are not unlimited, particularly given the shortage of skilled IT professionals in the marketplace today, so each company’s incident response plan will necessarily reflect certain compromises. However, recent events offer some basic principles as to how companies can and should lay out their incident detection and response plans from a “process perspective”:

  • Incident responders need to understand the “normal” behavior of their network. Logs kept by intrusion detections systems provide detailed reports from firewalls, intrusion detection devices, and network traffic flow activity meters.
  • Incident response handlers need to fully understand what is “normal” behavior on any given day and time, so that they then can determine what is “not normal” based upon any one particular alert. Visibility is one of the key issues to emphasize because no security system in the world will mean much if you can’t tell the difference between alerts to which you should respond and alerts to which you must respond. Often, breaches happen because critical alerts are overlooked amid the noise of numerous other alerts of lesser importance.
  • Firewall, intrusion detection, and network activity logs need to be maintained and accessible, so efforts can be made to correlate potentially malicious current activity with network activity in the past. It may be necessary to keep these logs handy for months, since many attacks take that long to be “noticed” by an unsuspecting company.
  • Cyber events need to be correlated quickly. Many times, this function can either be outsourced to a third party vendor, or it can be performed mechanically with an appropriate hardware solution that can analyze all of the alerts in real time.[x]
  • After reviewing evidence supplied by each of the above steps, incident response teams need objective criteria to determine which intrusions need to be escalated to a higher level and/or investigated further.[xi]
  • Finally, when a breach and/or exfiltration of customer or protected data is confirmed, a plan should be in place to quickly minimize the damage to your network infrastructure, your brand, and your customers and employees.

As there is no silver bullet in a constantly-evolving environment where hackers are often several steps ahead of cybersecurity professionals (or at least adapt quickly to new security measures), a lawyer conducting due diligence on a company’s incident response plan should evaluate the approach and process of the plan. Malware leaves signs or indicators of “bad behavior” on logs. Network traffic monitors may show spikes at unusual times, or even better, at regular intervals. A robust plan will have a process in place to correlate all of the indicators as quickly as possible and then escalate those more “suspicious” events for further review. In many cases, automated processes that correlate aggregated log data using “big data” analytics may be of particular benefit given the time-sensitive nature of event-response: any particular piece of malware could have devastating consequences if it is not quickly captured and eradicated.[xii]

Business Continuity Planning

Information management business continuity planning requires implementing procedures to recover data and information from a backup source as quickly as possible in order to get systems back online.[xiii] Business continuity planning was once the province of preparations for hurricanes, fires, and earthquakes, but in the wake of the devastating attack on Sony Pictures – as well as the companion announcement of the wiper malware attack on the Las Vegas Sands[xiv] – it is incumbent upon a company (and its board) to plan for the consequences of a severe cyber-attack, which might involve the loss of data, the loss of servers, the loss of computer hard drives, and even the loss of VoIP-based phone systems. As many have noted, “The biggest risk a company faces in today’s uncertainty of cyber-attacks is not being prepared.”[xv]

Volumes can be (and have been) written about business continuity planning in general. Vendors abound in this area, many claiming to offer the “best” back-up and business continuity procedures. And of course, every company (whether it is U.S.-based or multi-national, or a financial institution, broker-dealer or “brick-and-mortar”) is different when it comes to determining the most important elements of a business continuity plan, including which systems are critical to the organization, and how and when to bring them online. But in examining a company’s continuity planning for a cyber-attack, at least the following issues should be addressed:[xvi]

  1. Does the company have a written Business Continuity Plan?
  2. Has the company done a Business Impact Analysis that identifies the company’s most critical systems and the maximum downtime that can be tolerated if they go down?
  3. What are the company’s systems back-up procedures? How often is the full system backed up? Are back-ups maintained on the network? Has an “air gap” architecture been built into the company’s back up-procedures so that a cyber-attacker cannot attack system back-ups because they are segregated and being held off of the network?[xvii]
  4. Where are the back-ups held and how are they stored (network storage, external hard drives, or even in the cloud)?
  5. How long will the back-up media be maintained? How quickly can the company get to the back-up data when it is needed?[xviii]
  6. Once the back-ups are accessible, what are the company’s exact procedures for (A) obtaining whatever hardware is needed for the system restoration, (B) the restoration of the company’s critical operating systems and applications, (C) restoring other data to their then-known back-up state, and (D) testing the restored system to make sure everything is working properly?
  7. Finally, as many telephone systems are internet-based, a telephone recovery strategy also needs to be in place.[xix]

Like an incident response plan, a business continuity plan needs to be tested, the personnel responsible for implementing it need to be trained, and it should be periodically rehearsed so that all involved (including third-party or outsourced vendors) know their roles in getting the organization’s information management system back on line.[xx] Ideally, a plan should be put to the test through a full-scale functional exercise that includes a “full cut-over” and recovery to back-up data.

*          *          *          *

In many cases, the company that you are diligencing may be your own. It is indisputable that enterprise risk management is part of a director’s fiduciary duty to the organization and its shareholders. And cybersecurity today is undoubtedly part of enterprise risk management, and thus within a board of director’s oversight role:

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct. Management and the board of directors have the authority and responsibility to set the top priorities of the company. If being secure, vigilant, and resilient is not defined as a priority and communicated within the organization, there is little hope that the organization will deploy sufficient resources to protect its information systems and to respond to cyber events appropriately.[xxi]

Though the drafting of incident response plans and business continuity plans can be complex, the last 13 months of cyber-attacks have taught us both types of plans should be in writing, in place, practiced, tested, and ready to implement at any time. Taking the time to plan may well determine the fate of a company following a cyber-attack.

 

[i] See “NSA Director Warns of ‘Dramatic’ Cyberattack in Next Decade,” available here.  

[ii] See “Devastating malware that hit Sony Pictures similar to other data wiping programs,” available here.

[iii] See “Cyber Attacks on U.S. Companies in 2014,” available here.

[iv] See “Amy Pascal out as Sony Pictures co-chair,” available here.

[v] See “Health Insurer Anthem Hit by Hackers: Breach Gets Away With Names, Social Security Numbers of Customers, Employees,” available here.

[vi] See “The Importance of A Battle-Tested Incident Response Plan,” available here.

[vii] See “FireEye suspects FIN4 hackers are Americans after insider info to game stock market,” available here.

[viii] See NIST Computer Security Incident Handling Guide, Special Publication 800-61 (Rev.2) (2012), available here.

[ix] See “Security Case Study: Responsys,” available here. The same study notes that one large network it studied was getting 100,000-150,000 cyber “events” per day.

[x] See e.g. “An Adaptive Approach To Cyber Threats For The Digital Age,” available here (discussing one such advanced solution).

[xi] Indeed, for regulated investment advisers and managers, the April 2014 SEC Office of Compliance and Examinations announcement listed most of these process steps as “required” answers that a regulated entity will have to give at its next annual examination. See “OCIE Cybersecurity Initiative,” available here.

[xii] See e.g. “Big Data Analytics for Security Intelligence,” available here (noting “Big Data tools have the potential to provide a significant advance in actionable security intelligence by reducing the time for correlating, consolidating, and contextualizing diverse security event information, and also for correlating long-term historical data for forensic purposes.”).

[xiii] Note that both incident response planning and business continuity planning are both questions that are required to be answered as part of the SEC Office of Compliance and FINRA Street sweep programs that are currently ongoing as respects cybersecurity.

[xiv] See “Now at the Sands Casino: An Iranian Hacker in Every Server,” available here.

[xv] See “Why Companies Need a Business Continuity Plan,” available here; “Hurricane, Fire… DDoS? Make Cyber Threats Part of Business Continuity Planning,” available here.

[xvi] We again note the concept of business continuity planning is “fair game” when dealing with regulators. See SEC OCIE Cyber Security Risk Alert, at pg. 2 (“Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists.”).

[xvii] See e.g. “Black Hat Keynoter: Beware of Air Gap Risks,” available here (noting the positives and potential negatives of an “air-gapped” based back up system).

[xviii] The NIST “Contingency Planning Guide for Federal Information Systems,” Publication 800-34 Rev. 1, available here, also suggests that certain organizations may also consider an off-site facility to not only keep their back up data, but keep hardware available so that they can resume business operations from the off-site facility. Such a site would obviously be more expensive, but for larger companies it would certainly be a feasible option to resume critical options as soon as possible.

[xix] Id.

[xx] See SEC OCIE Cyber Risk Alert, at pg. 3 (“[Does] the Firm periodically tests the functionality of its backup system. If so, please provide the month and year in which the backup system was most recently tested.”).

[xxi] See “COSO in the Cyber Age,” available here.

gavel2015Over the past fifteen years, there has been a steady progression of corporate scandals, from Enron to options backdating to the excesses that led to the global financial crisis. These debacles were followed by waves of shareholder litigation. However, according to one legal scholar, the shareholder lawsuits all too often concentrate on enforcing legal duties on and imposing liabilities on the board of directors of the involved companies, to the exclusion of the officers whose misconduct led to their companies’ problems. As a result, the enforcement mechanism that shareholder litigation represents has not been effective in deterring corporate officer misconduct.

 

In a February 2, 2015 blog post on the CLS Blue Sky blog entitled “Legal Agency Costs: Our Preference to Sue Directors” (here) Oklahoma Law School Professor Megan Shaner contends that in pursuing shareholder litigation, plaintiffs’ lawyers tend to focus on director-specific actions. As also set out in greater detail in her longer scholarly article entitled “The (Un)Enforcement of Corporate Officer Duties” (here), Professor Shaner says that, despite the many high profile examples of officer misconduct, there is a near absence, even in Delaware, of case law discussing officers’ fiduciary duties. This suggests that these duties are not being enforced, at least by way of bringing lawsuits for violations. Shaner contends that in the absence of a functioning enforcement mechanism to hold officers accountable, the fiduciary duties imposed on officers will not have their intended constraining effect. She proposes several reforms to shareholder derivative litigation procedure, in order to remove possible impediments and disincentives for shareholder enforcement of officer fiduciary duties.

 

Shaner begins her longer article with a discussion of how over time a “culture of deference” to the actions and decisions of corporate officers has evolved. Senior corporate officials have, she contends, “all but subsumed” the board of directors’ role at the central corporate decision-maker. This in turn has led to all too many situations in which senior managers have put their interests ahead of those of the corporation. She cites as examples of this the Enron scandal, the options backdating scandal, and the events at Lehman Brothers and other firms the led to the financial crisis.

 

Shaner says “the recurring theme of officer malfeasance winding its way through the past fifteen years should not be ignored.” These events, she says, “raise corporate governance concerns and questions about perceived shortcomings in the current system of checks and balances on management power intended to deter misconduct and hold misbehaving managers accountable.”

 

Our legal system imposes fiduciary duties on corporate directors and officers. However, Shaner contends, the majority of decisions regarding the fiduciary duty doctrine has developed in the director context. There is “surprisingly little case law of commentary on the exact nature and scope of officer fiduciary duties.” The lack of officer fiduciary duty case law “raises questions regarding the effectiveness of the enforcement scheme.” It is, she says, not the fiduciary duties themselves but rather “the failure to enforce those duties as a constraint on officer power that has contributed to these instances of disloyalty and corruption.”

 

Shaner sees a direct link between the absence of fiduciary duty enforcement against corporate officers (as opposed to directors) and the recurrence of corporate scandals. The enforcement of legal obligations not only provides the means for punishing failures to discharge legal obligations, it also has “the corresponding benefit of incentivizing compliance with rules and regulations.” In order for fiduciary duties to have their “intending constraining effect on officer conduct – deterring misconduct and encouraging compliance ex ante as well as detecting and sanctioning misconduct ex post – it is important that the mechanisms in place to enforce those duties function effectively.”

 

Because, in the current corporate environment boards often lack the incentive and informational means to monitor management effectively, shareholders often provide the most effective monitoring of corporate officers and enforcing officer fiduciary duties. The primary enforcement mechanism available to stockholders, she says, is the derivative lawsuit. However, procedural rules often create significant hurdles for shareholders seeking to pursue derivative litigation.

 

Specifically, the demand requirement – taken together with the business judgment rule standards for the assessment of boards’ responses to shareholder litigation demands and the high standards associated with pleading demand futility – – mean at a minimum that the derivative lawsuit process is complex, lengthy and expensive, and ultimately very difficult to pursue successfully.

 

Shaner proposes reevaluating derivative litigation burdens in an effort to ensure stockholders have a meaningful enforcement mechanism available. In proposing derivative litigation procedural reforms, Shaner acknowledges “abuses by the defendants’ and plaintiffs’ bar, imposition of high litigation costs on the corporation, [and the] limited actual impact on promoting desirable behavior and agency costs.” Nevertheless, Shaner contends, the derivative lawsuit plays an important role in corporate governance, because “it is the most powerful tool available to stockholders in checking management power.”

 

In order to improve the ability of shareholders to monitor and enforce officer fiduciary duties, Shaner proposes two derivative litigation procedural reforms. First, she suggests that the demand requirement should be modified to excuse the demand requirement in certain circumstances and, second, that the role of the special litigation committee should be limited.

 

With respect to the demand requirement, she recommends excusing the demand requirement for stockholders that have one percent interest in the corporation, which she says would allow long-term holders of a corporation’s stock to file a derivative lawsuit without first having to satisfy the demand requirement. She proposes further that the extent of the ownership requirement would ratchet down as the length of the period of the shareholder’s ownership increases.

 

Shaner also proposes to limit or eliminate the role of the special litigation committee. She suggests that there should be a stronger presumption in favor of continuing derivative litigation lawsuits and a more searching judicial inquiry into special litigation committee, with a heavier burden on a committee to justify dismissal. She suggests as an alternative that the board’s ability to make use of a special litigation committee could disappear when the suit is brought by shareholders holding a certain percentage of the corporation’s stock pursues the suit.

 

In conclusion, Shaner contends that “reevaluating and relaxing derivative lawsuit requirements for stockholders will improve enforcement incentives and aid in ensuring that officers are being held accountable for their fiduciary obligations.”

 

Discussion

Shaner’s blog post is interesting and her longer article is scholarly and well-written, and I recommend both. However, while I recommend the articles, I must respectfully dissent from at least some parts of her analysis. In my view, the last thing the American economy needs is more litigation or litigation against more people.

 

First, I must admit my biases. The way I see it, our litigation system is the creation of lawyers – lawyers acting as legislators, lawyers acting as judges, lawyers acting as law school professors, lawyers acting as, well, lawyers. Not too surprisingly, the one group that litigation regularly and reliably rewards is the lawyers. From time to time there are meritorious lawsuits. All too often, however, litigation is a costly and burdensome waste of time, money and effort.

 

In my view, the ex post rationalization for derivative litigation is only arguable at best. The ex ante rationalization is even weaker. (By the way, why can’t legal scholars just say “before” and “after” like normal human beings?) Reducing her position to its bare essentials, Professor Shaner basically contends that there would be less corporate officer misconduct if there were more litigation against corporate officers, which would happen if it were easier to sue corporate officers. Her proposal is built on the presumption that more litigation against officers would deter officer misconduct. Personally, I think the conjecture that more litigation against officers would deter officer misconduct is speculative at best.

 

Let’s take a look at the record. After the era of corporate scandals such as Enron and WorldCom, there was a flood of litigation. A few short years later, we were treated to the unedifying spectacle of the options backdating scandal. The flood of litigation following the corporate scandals didn’t do anything to prevent or deter the subsequent backdating scandal. And by the same token, there was a massive amount of litigation following the options backdating scandal – almost all of it filed as shareholder derivative litigation – yet only a short time later, the global financial crisis followed. There were over 160 options backdating-related derivative lawsuits, but they did nothing to reform corporate behavior in the run up to the financial crisis.

 

The massive amounts of shareholder litigation following each of these scandals seem to have had little deterrent effect. The successive scandals happened just the same. Moreover, given the scale and nature of each of the succeeding scandals, I think it has to be seriously questioned whether the later misconduct could have been avoided if only a few more officers had been named as defendants in the earlier lawsuits. (And I should add here as an aside that in almost all of the more than 160 shareholder derivative lawsuits that were filed in the wake of the options backdating scandal, many of the corporate officers who received the backdated options were named as individual defendants. Their inclusion as defendants had no impact on the subsequent corporate misconduct that led up to the global financial crisis.)

 

I have spent much of the last twenty years since I left the active practice of law interacting with corporate officers and directors. I have to say that the deterrent effect from the threat of shareholder litigation is far weaker than legal academia assumes. Most directors and officers believe they will never get sued in a shareholder lawsuit. They look at the conduct that led to the scandals and to the lawsuits, and they say, I would never do anything like that, so I will never get sued. I will agree that those who have gotten caught up in litigation before take a different view, although even there many come away from the litigation convinced only that the system is flawed. Some former litigants are receptive to counsel on how to avoid future lawsuits, and so in that sense the shareholder litigation may have the kind of motivating and incentivizing effect that Shaner believes it to have. Overall the effect is far less than Shaner assumes.

 

I agree with Shaner that shareholder oversight may be the best way to avoid corporate officer misconduct. However, there are better ways to encourage and achieve shareholder oversight than through even more shareholder litigation against even more defendants. The solution (or at least a solution) may be through the involvement of more engaged activist shareholders.

 

Coincidentally, the cover story in last week’s Economist magazine addressed this very topic. In the February 7, 2015 magazine’s leader, entitled “Capitalism’s Unlikely Heroes: Why Activist Investors are Good for the Public Company” (here), the magazine discussed the increasingly effective new generation of activist investors that increasingly are a “force for good.” These activist investors have stepped forward to “fill a governance void,” which in turn has forced previously passive index fund and public pension fund investors to “become more active and more forward-looking.” According to the magazine’s longer cover article, activism is “a breath of fresh air in the stuffy, complacent world of the big American corporation.” Moreover, analysis shows that activist investor involvement has led to “a sustained, if modest, improvement in operating performance and better shareholder returns.”

 

Shareholder oversight through activism has advantages over oversight through litigation. Because an activist campaign cannot prevail without the support of other shareholders, there are natural mechanisms in place to constrain the process. There is less of a problem with agency costs and the kind of agency co-option that can happen in litigation when the lawyers take over the process.

 

Shaner does acknowledge — in the second paragraph of footnote 196 of her article — that “the emergence of institutional and activist shareholders as active participants in corporate governance has compensated for some of the collective action problems” that constrains shareholder oversight. However, in the text of her article, she says – explaining her preference for reformed derivative litigation as the preferred tool to improve shareholder oversight of corporate officer misconduct – that “the lack of economic incentives and other time, money and resource constraints continue to deter individual, institutional and activist shareholders alike, from engaging in consistent, meaningful monitoring of management.”

 

The recent Economist article is less skeptical about the promise and possibilities of activist shareholder involvement. Given the excesses to which shareholder litigation is prone, I would much rather see efforts to improve shareholder oversight focus on the proactive involvement of shareholders, rather than through further expansion of our litigation system.

 

To be sure, shareholder activism has its critics. The Economist article quotes the prominent corporate lawyer Martin Lipton as saying that activist shareholders are “having a serious impact on the economy and are an aggressive deterrent to investment, research and development and employee training.” The methods of many activist investors are not immune to excess, and can lead to even well-performing companies being targeted. But, again, because the activist investors can only succeed with the support of other shareholders, there are natural checks in the system against the worst of these effects. And the checks on activist shareholders are much more effective and direct than the checks on shareholder litigation excess.

 

I agree with Professor Shaner that more needs to be done to try to prevent corporate officer misconduct. Where she and I diverge is that I am against any proposed solution that will lead to more rather than less shareholder litigation. Litigation will not suddenly become a more effective deterrent mechanism if there is more of it or if corporate officers are named as defendants more frequently. Improved monitoring through increased shareholder involvement is a more promising method of trying to prevent corporate officer misconduct than is increased or expanded shareholder litigation, and it is less likely to lead to the inefficiencies and excess to which shareholder litigation is prone.

can flag 2The number of securities class action lawsuit filed in Canada during 2014 was consistent with the recent annual average number of filings, and because case filings exceeded case resolutions, the aggregate total of unresolved class actions continued to grow during the year, according to a February 10, 2015 report from NERA Economic Consulting. According to the report, which is entitled “Trends in Canadian Securities Class Actions: 2014 Update” (here), there are now a total of 60 pending securities class action lawsuits in Canada representing more than $35 billion in total claims. NERA’s February 10, 2015 press release about the report can be found here.

 

According to the report, there were eleven securities class action lawsuits filed in Canada in 2014, the same number as in 2013. While the number of filings last year is consistent with the average annual number of filing during the period 2009-2013 (11.4), it is below the record number of filings in 2011 (when there were 15 new cases filed). Of the 123 Canadian securities class action lawsuits filed between 1997 and 2014, 68 (or 55 percent) were filed just in the last six years.

 

In addition, over the last six years a total of 46 class actions have been filed against companies listed on the Toronto Stock Exchange (TSX), representing about three percent of that average number of companies listed during that time, for an annual average litigation risk of approximately 0.5 percent. (By way of comparison, in its 2014 report of U.S. securities class action litigation activity, NERA reported that the probability of a U.S. listed company being sued in a securities class action lawsuit was about 4.2% in 2014.)

 

Of the eleven securities suits filed in 2014, eight were filed in Ontario; one was filed both in Alberta and British Columbia; one was filed only in British Columbia; and one was filed in Quebec. Historically, 78 percent of all new securities class action lawsuits involve a filing in Ontario; 24 percent involve a filing in Quebec; and 20 percent involve filings in provinces other than Quebec. About 23 percent involve filings in more than one province.

 

Four of the eleven new lawsuits filed in 2013 also involve parallel class action lawsuits in the U.S. At the same time, there were five other U.S. securities class action lawsuits filed against Canadian-domiciled companies where there was no equivalent lawsuit filed in Canada. Since 2006, approximately half of all U.S. filings against Canadian companies correspond to a parallel claim in Canada.

 

Unsurprisingly given the importance to the Canadian economy of the mining and the oil and gas sectors, cases involving companies in those sectors “continue to account for a substantial share of new filings.” Seven of the eleven 2014 securities suit filings involved companies in the energy and non-energy mineral sectors. On the other hand, filings against companies in the financial sector have declined compared to prior years. During the period 2010 to 2014, about 14 percent of all new filings involved companies in the financial sector, compared to about 31 percent during the period 1997 to 2009.

 

Almost all of the 2014 filings involved claims asserted under the secondary market civil liability provisions of the provincial securities acts. In 2014, ten of the 11 new filings were Statutory Secondary Market cases, consistent with the filing trends since the statutory provisions came into force at the end of 2005. There have now been 63 cases filed asserting claims under these statutory provisions.

 

Of the 123 securities class actions filed in Canada between 1997 and 2014, nine (7.3 percent) have been dismissed as of the end of 2014. Of the 63 Statutory Secondary Market cases, three (4.8 percent) have been dismissed so far.

 

During 2014, a total of six Canadian class action lawsuits settled, for a total of approximately $38.4. Both the median settlement and the average settlement during 2014 were $6.4 million. Five of the six cases settled during 2014 were Statutory Secondary Market cases, for which the average settlement was $5.7 million and the median was $5.9 million.  

 

For the 50 settlements in NERA’s database that were entered between 1997 and 2014, the median settlement is $10.7 million. The average settlement among those 50 cases is $79.5 million, a figure that is inflated by two very large settlements involving Nortel Networks Corp.

 

Of the 50 settlements, 22 resolved Statutory Secondary Market cases, with an average settlement of $8.7 million and a median settlement of $7.0 million. Of these 22 settlements, 15 were domestic only cases and seven were cross-border cases. The 15 domestic only settlements averaged $6.8 million and had a median settlement value of $3.9 million. The seven settlements involving cross-border actions had an average settlement of $12.8 million – “about twice the amount of the typical settlement in domestic-only cases.” The median settlement value of these cross-border cases was $9.5 million.

 

At the end of 2014, 60 Canadian securities class action lawsuit remained unresolved, the largest number ever, and more than double the number of cases pending just five years ago and nearly three times the number as of the end of 2006. The 60 unresolved cases represent more than $35 billion in claims, including both claims compensatory and punitive damages. All but six of the 60 pending cases were filed in 2007 or later. As of the end of 2014, there were also a total of 21 cases pending in the United States against Canadian domiciled companies.

 

 

The report concludes by noting that the oil and gas sector is under pressure, as are the Canadian and world economies in general. The report notes that in the U.S. class action lawsuit filings have tended to increase during periods of economic upheaval. The report states that “Whether we will see a similar increase in filing in Canada following the next episode of economic volatility remains to be seen.”

japanJapanese companies have not always had set the standard for corporate governance, but a current initiative of the current governmental administration is trying to change that. As part of ongoing  efforts to try to revitalize the Japanese economy, an advisory committee to the country’s Financial Services Agency (FSA) has introduced a draft proposed corporate governance code that, when finalized, will apply to all companies listed on Japanese exchanges.

 

 

The current draft of the code, published in December 2014 and entitled “Japan’s Corporate Governance Code: Seeking Sustainable Corporate Growth and Increase Corporate Value over the Mid- to Long Term” (here), is presently in a public comment period. The final code is scheduled to take effect on July 1, 2015. A February 2015 memo from the Jones Day law firm entitled “Japanese Corporate Governance is Changing with the Adoption of a New Code in 2015” and describing the current draft of the code can be found here.

 

Japanese Prime Minister Shinzō Abe’s economic revitalization policies place a priority on the corporate governance of Japanese companies. As part of his administration’s revitalization strategy, a committee, known as the Council of Experts Concerning the Corporate Governance Code, was formed in June 2014 to propose a revised corporate governance code. The Council introduced the current draft for public comment in December 2014. The final version of the code will be announced in March 2015 and it will take effect on June 1, 2015.

 

The current draft identifies the objectives of the Code as follows:

 

It is important that companies operate and manage themselves with the full recognition of responsibilities to a range of stakeholders, starting with fiduciary responsibility to shareholders who have entrusted the management. The Code seeks “growth-oriented governance” by promoting timely and decisive decision-making based upon transparent and fair decision-making through the fulfillment of companies’ accountability in relation to responsibilities to shareholders and stakeholders. The Code does not place excessive emphasis on avoiding and limiting risk or the prevention of corporate scandals. Rather, its primary purpose is to stimulate healthy corporate entrepreneurship, support sustainable corporate growth and increase corporate value over the mid- to long-term.

 

Because the code aims to allow governance to be adapted to each company’s particular situation, the code takes a “principles-based approach” rather than a rules-based approach. The code is not legally binding, but it does take a “comply or explain” approach, pursuant to which companies must either comply with a principle or explain the reasons why it has not done so.

 

The current draft of the code provides five General Principles, each of which has several specific supplemental principles. The five General Principles are: Shareholder Rights and Equal Treatment of Shareholders; Proper Cooperation with Stakeholders; Proper Disclosure and Transparency; Responsibilities of the Board; and Shareholder Engagement.

 

General Principle 4 specifies that company board will fulfill their responsibilities in three ways: setting the broad direction of corporate strategy; establishing an environment where appropriate risk-taking by the senior management is supported; and carrying out effective oversight of directors and management from an independent and objective standpoint. The code also addresses the board’s role in the appointment and dismissal of management as well as with respect to executive compensation.

 

Interestingly, with respect to executive compensation, the Council of Experts expressed their concern that Japanese companies are too risk averse, and they suggest that the code should send a clear message about risk-taking in business operations and that executive compensation should provide proper incentives for healthy entrepreneurship. The Council urges boards to strike the proper balance of cash and equity compensation, and proposes that the compensation policy should be clearly disclosed.

 

In describing general principles regarding appropriate information disclosure and transparency, the draft proposes that companies should “strive to actively provide information beyond that required by the law,” including not only financial information, but also non-financial information “such as business strategies and business issues, risk and governance.” Because the information will serve as the basis for a dialogue with shareholders, the board should ensure that the disclosed information “particularly non-financial information, is accurate, clear and useful.”

 

Among other things, the draft code proposes “in order to enhance transparency and fairness in decision-making and ensure effective corporate governance” that companies should provide information about company objective; the company’s policies and procedures in determining remuneration of senior management and of the directors; and board policies and procedures for the appointment of senior management as well as for the nomination of directors.

 

The draft code contains a number of specific principles that are of particular interest. For example, Principle 2.4, entitled “Ensuring Diversity, Including Active Participation of Women,” states that “companies should recognize that the existence of diverse perspectives and values reflecting a variety of experiences, skills and characteristics is a strength that supports their sustainable growth. As such, companies should promote diversity of personnel, including the active participation of women.” This principle is particularly interesting in light of what the Economist recently called the “lowly status” of women in the Japanese workforce.

 

Principle 2.5 addresses the issue of corporate whistleblowing. The provision states that “companies should establish an appropriate framework for whistleblowing such that employees can report illegal or inappropriate behavior, disclosures or any other serious concerns without fear of suffering from disadvantageous treatment.” 

 

ausThere were a number of key class action litigation developments in Australia during 2014, according to a recent memo from the Jones Day law firm. Among other things, there were significant developments in particular in the securities class action litigation arena, according to the memo. The memo, which is entitled “Class Actions in Australia: 2014 in Review,” can be found here.

 

According to the memo, the largest class action settlement in Australia history took place in the 2014, in the Kilmore East-Kinglake bushfire class action. The case arise out of a 2009 fire in the state of Victoria in which 119 people died and many others were injured and over 1,800 homes and other properties were destroyed. The class action lawsuit was brought against the owner and operator of a power line, the company responsible for inspecting and maintaining the power line, and various entities of the State of Victoria responsible for managing forest lands, on behalf of those killed or injured or who suffered property damage in the fire. Following a 208-day trial, the case settled for A$494 million (including fees).

 

With respect to securities class action litigation, the memo states that “it remains clear that shareholder claims are very strong, with new entrants and established plaintiffs’ law firms and funders attempting to build class actions against a number of corporations.” The memo notes that “the first half of 2014 saw a spike in shareholder class actions, with a number of new entrants threatening or commencing proceedings, mainly around alleged continuous disclosure breaches.” In total during the year, nine actions were threatened and four were commenced.

 

The memo also discusses the A$69.45 million settlement of the Leighton Holdings Ltd. securities class action litigation. The claim was a follow-on lawsuit from a regulatory action taken by the Australian Securities Investment Commission which had resulted in A$300,000 in fines. The class action settlement amount is inclusive of A$3.9 for the applicant’s legal costs. The memo’s authors note that the Leighton class action provides “yet another example of regulatory action acting as a class action compass for plaintiffs law firms and litigation funders.”  The settlement, the memo notes, was noteworthy for a number of reasons, including in particular “the speed of the settlement” – the case had been subject to mediation within five months of commencement and the settlement had been reached within seven months of commencement.

 

 

As I have noted in the past, litigation funding is an important part of the class action litigation landscape in Australia. During 2014, there were a number of decisions from the Supreme Court of Victoria on the question of the roles that lawyers can take in funding class action litigation.

 

In the Treasury Wine Estates Limited litigation, a solicitor acting for the representative party that had commenced the shareholder litigation was also the representative party’s sole director and shareholder. The court found that in these circumstances there was a real risk that the solicitor could not give detached, independent and impartial advice, taking into account both the interests of the representative party and of the interests of group members. The trial court order that the solicitor be restrained from acting as solicitor for the class and that the proceedings be stayed while the individual acted in tandem as solicitor and shareholder.

 

The trial court declined to permanently stay the proceeding as an abuse of process.  However, the Court of Appeal ruled that because the litigation had been commenced for the purpose of generating legal fees rather than vindicating legal rights, it did represent an abuse of process and the action was permanently stayed.

 

In the Banksia Securities Class Action, the court was asked to consider whether a solicitor may properly act on behalf of representative party where the solicitor was the secretary and a director of the litigation funder. (The specific solicitor involved in the Banksia case was the same individual that had tried to act on behalf of the representative party in the Treasury Wine Estates Limited litigation.) The court held that a solicitor with a pecuniary interest in the outcome of the case, beyond their legal fees, should be retrained from acting for the lead plaintiff. The court found that the arrangement impinged – or had the appearance of impinging – on the integrity of the judicial process.

 

The authors note that in neither of these two cases did the courts find that the solicitor involved had actually violated a law or professional duty. Rather, the authors note, “the risk or appearance of a conflict was sufficient to require the lawyers to be restrained to protect the integrity of the judicial process.”

 

The memo suggests that “the debate over the funding of litigation, by both lawyers and third parties, will continue in 2015.”  

californiaA probable accompaniment of the increased IPO activity during 2013 and 2014 is an increase in IPO-related litigation, as I have previously noted. There has already been one high-profile IPO-related securities suit filed this year, the securities class action lawsuit filed last week against the Chinese e-commerce giant Alibaba. And if the two additional new filings late last week are any indication, we are likely to see further IPO-related securities suit activity involving the IPO classes of 2013 and 2014. But interestingly, though the two most recent IPO-related securities suits allege violation of the federal securities laws, the cases themselves were not filed in federal court. Instead, the cases were filed in state court, in California.

 

A little bit of background will help explain these recent developments. Section 22(a) of the Securities Act of 1933 provides for concurrent state court jurisdiction for civil actions alleging a violation of the ’33 Act’s liability provisions. Section 22(a) specifies further that when an action is brought in state court alleging a ’33 Act violation, the case shall not be removed to federal court.

 

These provisions were significantly litigated in connection with state court lawsuits filed during the financial crisis, as discussed here. One question in particular was whether the provisions of SLUSA, requiring “covered class actions” to be litigated in federal court, pre-empt the concurrent state court jurisdiction provisions in the ’33 Act.  Suffice it to say here that the determinations of these issues were not uniform, but that in the Ninth Circuit, the state of the law seems to be that ’33 Act cases filed in state court in reliance on Section 22’s concurrent jurisdiction provisions are not removable notwithstanding the provisions of SLUSA. (I will stipulate that there is probably a great deal more that might be said on all of these issues, I am trying to summarize here so that the context of the recently filed cases may be generally understood).

 

In apparent reliance on the concurrent jurisdiction provisions, plaintiffs filed two IPO-related securities class action lawsuits last week in California state court.

 

First, on February 5, 2015, plaintiffs filed a securities lawsuit in California (Santa Clara County) Superior Court against A10 Networks, Inc. and certain of its officers. A10 completed its IPO on March 21, 2014. According to the plaintiffs’ lawyers’ February 5, 2015 press release (here), the company sold nine million shares in the IPO at $15 per share, and certain “Selling Shareholders” sold another 3.855 million shares, including the underwriters’ overallotment. The lawsuit purports to be filed on behalf of a class consisting of all persons or entities who purchased A10 Networks securities pursuant and/or traceable to the Registration Statement and Prospectus issued in connection with A10’s initial public stock offering.

 

The press release states that the complaint alleges that on October 8, 2014, the Company announced third quarter revenue of approximately $43.0 million to $43.5 million, below the company’s prior guidance of $48.0 million to $50.0 million. On this news, shares of A10 Networks fell $3.35, or 42%, to close at $4.55 on October 8, 2014, or more than $10 per share below the company’s IPO share price.

 

Second, on February 6, 2015, plaintiffs filed a securities class action lawsuit in California (San Francisco County) Superior Court against Xoom Corp. and certain of its directors and officers. Xoom completed its IPO on February 14, 2013. The complaint purports to be filed on behalf of all shares purchased in or traceable to the initial public offering.

 

The complaint against Xoom relates to the company’s January 5, 2015 filing on form 8-K (here), in which the company announced that “On December 30, 2014, Xoom Corporation (the “Company”) determined that it had been the victim of a criminal fraud. The incident involved employee impersonation and fraudulent requests targeting the Company’s finance department, resulting in the transfer of $30.8 million in corporate cash to overseas accounts. As a result, the Company expects to record a one-time charge of $30.8 million in its fourth quarter of 2014.” The Company also announced that its Chief Financial Officer had resigned and that the board’s audit committee had launched an independent investigation.

 

According to the plaintiff’s lawyers’ February 7, 2015 press release (here), the complaint alleges that the company and certain of its directors and officers “made false and misleading statements and failed to disclose that its internal controls were deficient.”

 

There are a number of interesting things about these two new lawsuits. I should hasten to add that at this point I have only seen the plaintiffs’ law firms’ press releases about the suits. I have not yet been able to get my hands on the actual complaints that were filed. (I would be grateful if any readers out there that have a copy of either complaint would be willing to forward me a copy. I will of course update this post with links once I do get copies of the complaints.)Based on the press releases, I note the following.

 

UPDATE: The Xoom state court complaint can be found here. Interestingly, and notwithstanding the non-removal provision in Section 22 and the current state of case law in the Ninth Circuit, the defendant has filed a petition to remove the Xoom state court action to United States District Court for the Northern District of California. Thanks to a loyal reader for sending me both documents.

 

FURTHER UPDATE: The A10 Networks state court complaint can be found here. Thanks to yet another loyal reader for sending me the A10 Networks complaint.

 

First, though I expect that the securities lawsuit against A10 was filed in reliance on the ’33 Act’s concurrent jurisdiction provision, the press release at least says not that action asserts liability claims under the ’33 Act; rather, the press release says that the complaint alleges “violations of the federal securities laws under the Securities Exchange Act of 1934.” I have to assume that this was an error in the press release. (There are, in fact, some other rather obvious errors in the press release; for example, the press release says that the complaint was filed in the “United States California Superior Court, Santa Clara County,” which obviously is a goof.) I suspect that contrary to the press release the complaint itself asserts claims not under the ’34 Act, but rather under the ’33 Act. It is not just that the claimants’ claims purport to relate to the company’s IPO, and therefore presumably would support ’33 Act claims, but also if the complaint asserts only ’34 Act claims, the claimants would not have benefit of Section 22’s non-removal provisions and the state court action would be immediately removable to federal court.  UPDATE: As expected, the A10 Networks complaint to which I linked above does indeed assert claims under the ’33 Act, not under the ’34 Act.

 

Second, although the facts that Xoom disclosed in its January 5 filing on Form 8-K are quite sensational, and although it may not be surprising that allegations of this type might lead to litigation, it is less than clear, at least from the plaintiff’s lawyers’ press release, that there is a link between the events reported in the 8-K and the company’s IPO. Obviously, the claimants have every incentive to try to invoke the company’s IPO in order to try to assert claims under the ’33 Act, with its lower standard of liability, and they also appear motivated to invoke the IPO in order to try to rely on the ’33 Act’s concurrent jurisdiction provision. However, the filing of the 8-K took place nearly 23 months after the IPO and the complaint was filed just a week short of two years after the IPO. The plaintiffs will have to show how the fraudulent transfers that are at the heart of the complaint are connected to the company’s IPO nearly two years prior. UPDATE: The state court complaint, to which I linked above, does not in fact shed all the much light on the connection that the plaintiff seeks to draw between events described in the Form 8-K and Xoom’s IPO offering documents. The complaint says only that the events described in the 8-K “are a result of seriously deficient internal controls at the Company, which the Company failed to disclose during [sic] in its Registration Statement and Prospectus.”

 

As I noted in connection with the recent lawsuit against Alibaba, well over 500 companies completed their IPOs during 2013 and 2014. Because companies within three years of their IPOs are susceptible to IPO-related securities suits, and because plaintiffs’ lawyers will be attracted to potential suits in which they can assert ’33 Act liability claims (which have a lower standard of liability than ’34 Act claims), it seems probable that in 2015 and even on into 2016 we will see an upsurge of IPO-related securities lawsuits. If these two most recent cases are any indication, some of these upcoming IPO-related securities suits will be filed in state court, at least where plaintiffs’ lawyers have a basis to file their suits in a state court in one of the states within the Ninth Circuit.

 

I would be very interested in hearing from readers out there on a question that has always puzzled me about these state court suits – that is, why is state court preferable for the plaintiffs’ lawyers? I guess I can understand it if the plaintiffs think there is some “home court” advantage to proceeding in the local state court courthouse. I also recall from when these issues were debated during the financial crisis that there is an argument that certain of the PSLRA’s requirements do not apply to actions filed in state court. (My recollection of this argument is that some of the PSLRA’s provisions apply by their own terms only to actions “filed in federal court,” so the argument is that these provisions do not apply to actions filed in state court.) I welcome comments from anyone who can shed any light on the supposed advantage the plaintiffs’ lawyers think they can gain by proceeding in state court rather than in federal court.

 

In any event, I note here a concern that I previously noted when these issues came up in connection with the financial crisis lawsuit filings. My concern has to do with the fact that while Ninth Circuit has held that neither SLUSA nor CAFA preempt Section 22’s non-removal provisions, other federal circuit courts (particularly the Second and Seventh Circuits) have held that SLUSA’s provisions or CAFA’s provisions should prevail over Section 22’s non-removal provisions. It is an uncomfortable situation when federal court jurisdictional provisions are not applied uniformly across the federal circuits. Given the United States Supreme Court’s recent enthusiasm for taking up securities cases, particularly where circuit splits are involved, it may be that this issue will eventually make its way to the Supreme Court at some point in the future.  

 

victoriaMany contemporary management liability insurance policies draw distinctions between types of directors. For example, many private company D&O insurance policies provide additional excess defense expense coverage for the benefit of “non-executive directors.” However, these kinds of provisions beg the question of who exactly is a “non-executive director”? A recent decision by an appellate court in the Australian state of Victoria construing this type of provision– in a case in which an individual director was seeking access to the excess defense cost protection available only to “non-executive directors” — underscores how difficult this determination can sometimes be. 

 

A copy of the Supreme Court of Victoria Court of Appeal’s December 16, 2014 opinion can be found here. Francis Kean’s February 9, 2015 post about the decision on the Willis Wire blog can be found here. A January 27, 2015 memo about the decision by Kathryn Rigney of the Colin Biggers and Paisley law firm in Sydney can be found here.

 

Background

Australian Property Custodian Holdings Limited was the responsible entity for and trustee of a property unit trust owning retirement and aged care facilities. Many of the property management functions for the unit trust’s various properties were undertaken by entities that, while characterized by overlapping ownership, were separate companies from Holdings.

 

Kim Samuel Jacques was a director of Holdings. He and other members of the Holdings board were subject to various claims for alleged wrongful acts that allegedly took place during the period 2006-08.

 

Holdings maintained an Investment Management Insurance Policy at the time the claims were made. The defendants’ costs of defending themselves from the claims exhausted the policy’s $5 million limit. Jacques sought the protection of an additional $1 million excess defense cost limit that was available under the policy for the benefit of “non-executive directors.” The insurance carrier denied that Jacques had the right to access the $1 million limit, contending that at the critical period, Jacques was an executive director and not a non-executive director. Jacques filed an action against the insurer seeking a judicial declaration that he was entitled to the benefit of the additional $1 million excess defense expense limit.

 

The policy defined “Director” as “any person who was, now is, or during the policy period becomes, an executive or non-executive director” of Holdings. The policy defined a “Non-Executive Director” as “any natural person who serves as a non-executive director of” Holdings. The policy definitions did not specify any criteria to be used in determining whether or not a director is a non-executive director.

 

The parties agreed that Jacques has been a non-executive director of the company before April 6, 2004 and that he functioned as an executive director of the company after June 26, 2007. The issue at trial was whether Jacques was a non-executive director during the period between those two dates.

 

The trial court determined that there were two issues to be decided: first, the court had to decide the meaning of the phrase “non-executive director” in the policy; and second, the court had to make a factual determination whether Jacques met the definition during the relevant time period. The trial court said that for purposes of interpreting and applying the policy language the critical inquiry was whether the company approved or acquiesced in the assumption by the director of the powers of an executive director, or whether there is evidence that the delegation of executive function to that director.

 

Following trial, the trial judge held that Jacques was not an executive director during the relevant period and was entitled to the benefit of the excess defense cost limit under the policy. The insurer appealed.

 

The December 16, 2014 Opinion

On December 16, 2014, a three-judge panel of the Victorian Court of Appeal dismissed the insurer’s appeal and affirmed the lower court’s ruling.

 

The insurer had tried to argue on appeal that in addition to the issues considered by the trial court, the determination of whether or not Jacques was an executive director during the relevant time period, the court should also consider how Jacques’s role was portrayed to investors; how his role was perceived internally within Holdings; and how he perceived his own role. In support of these arguments, the insurer relied on documents that were provided to investors identifying him as an executive director and on board of directors’ minutes that described him as an executive director. The insurer also relied on testimony that Jacques had provided under oath in an Australian Securities and Investments Commission examination, in which he described his role during the relevant time period as that of an executive director.

 

The Court of Appeal essentially found that the views of the board itself or even of the director himself are of “limited relevance.” While the company’s records and documents may be relevant, they are relevant only to the extent they help to determine whether or not the individual was “performing executive functions in the management or administration of the company.” The Court of Appeal also found that the way a director’s status as depicted to investors obviously might be of relevance in other circumstances, it is of “limited relevance” for purposes of construing the meaning of the term “non-executive director” in the policy.

 

The “essential element” to be considered, the Court of Appeal said, for purposes of construing the term “non-executive director” in the policy is not necessarily how he is described but rather “whether the director is performing executive functions in the management and administration of the company.”

 

The Court of Appeal said that the various statements to investors, in board minutes and even by Jacques himself in his examination testimony fell short of providing evidence of any delegation to Jacques of authority to perform executive functions. The Court of Appeal said that while the record showed that Jacques was performing an operational role in the management of the retirement villages, the record did not establish that this was done as part of the business of Holdings, rather than for the separate business enterprise by which he was employed. The Court of Appeal rejected the appeal and affirmed the trial court.

 

Discussion

I think that the language included in insurance policies drawing the distinctions between executive and non-executive directors (or similar language distinguishing “outside directors” or “independent directors”) is incorporated with an unconscious assumption that distinguishing between these types of directors will be clear or even self-evident. As this court found, there is not even that much case authority that is helpful on this issue, because, as Francis Kean notes in his memo about this case, under the common law all company directors are subject to the same duties and are judged by the same standard, so the need for judicial pronouncements in this area has been limited.

 

At a minimum, as the law firm memo to which I linked above puts it, this case “demonstrates” that “it is not always easy to determine whether a particular individual is acting as an executive director.”

 

You can certainly see how the carrier might have felt that Jacques was an executive director. After all, materials provided to investors identified him as an executive director. The company’s board minutes identified him as an executive director. He even testified under oath that during the relevant time period he was an executive director. (Jacques testified at trial in the insurance coverage action that his prior answer was wrong and that he had been confused in a stressful environment.)

 

The Court of Appeal said that these various instances in which Jacques was identified or described  –both externally and internally — as an executive director were not only not determinative but were of “limited relevance.” The more important was how he actually functioned and whether he participated in the management or administration of the company.

 

The larger question this case asks is how can parties to an insurance contract avoid these kinds of disputes. As the law firm memo puts it, “it is in the interests of both insurers and insureds to make sure that the relevant policy wording makes it clear which individuals are entitled to access the additional cover.”

 

So how can the parties avoid the kind of dispute that arose in this case? The law firm memo suggests that the way to solve the problem is to name the non-executive directors in a schedule to the policy. My experience suggests that this approach would be fraught with potential problems. For one thing, the inclusion of a list of specified individuals does not allow for the possibility that new non-executive directors might be added during the policy period. In addition, individuals might change their status during the policy period. Even worse, names can be omitted by oversight.

 

Compounding the difficulty of trying to solve this issue through policy language is the fact that, as this case makes clear, the question of whether or not a person was an executive director is highly factual issue. It really depends on how the individual functioned within the company.

 

It is possible that the policy could specify the criteria that are to be used in determining whether or not an individual was functioning as an executive director. My concern there is that the specific facts at different companies and for different individuals will vary – and will change over time. It might be very difficult to provide specific criteria that accurately encompass any given individual’s function at any given company. And as the specific facts of this case show, an individual’s function in an enterprise may change over time.  

 

While it may be difficult to eliminate these kinds of disputes through policy language alone, there may be things companies can to try to try to help avoid trouble. The first is for companies themselves to understand the differences between the various director roles and to be careful in maintaining the distinction between the roles, particularly in the ways in which directors are identified or described. If this company had been more attentive to the way Jacques was described, perhaps some of the trouble here could have been avoided. As Kean puts it in his blog post, “it is important to ensure that any transition from executive to non-executive function or vice versa is carefully and accurately reflected in the company documentation.”

 

In the end, it may be very difficult to avoid these kinds of disputes under the particular circumstances of a given individual and company. However, the possibility of avoiding these kinds of disputes begins with the understanding that the distinction between who is and who is not a non-executive director may not be self-evident. An appreciation for this fact will be the starting point for trying to find a solution and it can be hoped avoiding disputes in the future.

 

Special thanks to Francis Kean for calling my attention to this decision and for providing me with a link to his blog post.  

 

Like many of this site’s regular readers, I am at the PLUS D&O Symposium this week. Because the activities at the Symposium have disrupted my normal opportunities to blog, I thought I would fill the gap with some poetry.

 

These two winter poems come to us from Lucy Griffiths, Age 9, of Arlington, Virginia. Lucy is the daughter of my good friends and former colleagues, Stacey McGraw, of the Troutman Sanders law firm, and John Griffiths, of the U.S. Department of Justice. Here are Lucy’s winter poems.

 

MYSTERIOUS SNOW

Whispers are spoken
as flurries fall

Secrets are broken
while the snow grows tall

Feet wander making tracks
all while the snowflakes start to pack

                 WINTER WIND

The winter wind is crisp to your cheeks

The wind calls like a bird’s beak

The winter wind wonders what to do,
Should it snap?
Should it crackle?
Should it flow into your shoe?

The winter wind blows through the trees

It will never do as you please

Lucy is an award-winning poet. Last year, one of her poems won first prize in the Arlington County Public Schools Dr. Martin Luther King Jr. Visual and Literary Arts Contest. Here is her prize-winning poem “How Will I Rid the World of Hate”:

 

How I will rid the world of hate?

Wandering, wondering

How will I rid the world of hate?

Hate won’t get you anywhere.

Hate will keep you in the hatred zone.

 

Love will give you happiness

as merry as a sunny day.

Love brings joy

as strong as a lifelong friendship.

Love warms your heart

like the warm sun that beats down on my face.

 

Love gives you the faith to get rid of hate.

If you’re lost in the hatred zone,

replace your hatred with love.

 

Dr. King, Nelson Mandela and Mahatma Gandhi were great leaders

they taught us it is our responsibility to

bring love to the world and be leaders.

Dr. King taught to us to treat all people fairly

Nelson Mandela taught us

 apartheid was treating people improperly

And

Gandhi taught us to act peacefully.

CS Business Descr. logo 286PMS-2Anderson Kill Logo (2014)(USE)A frequently recurring management liability insurance coverage issue involves the question of whether or not the policyholder has given timely notice as required under the policy, as I have discussed in prior posts on this blog (most recently here). Among the many kinds of notice issues that can arise are questions involving multiple or interrelated disputes. In the following guest post, Pamela Hans of the Anderson Kill law firm and Terrence Tracy and Heather Steinmiller of Conner Strong & Buckelew take a look at the steps companies can take to protect themselves when interrelated disputes arise.

 

I would like to thank Pamela, Terry and Heather for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to publish a guest blog post. Here is Pamela, Terry and Heather’s guest post.

 

*******************************************************************

 

A ballgame isn’t over till it’s over.  All too often, an insurance company will treat a D&O Claim as if it began before it began.  You need to be ready for that possibility.

Most D&O policies contain some form of an “interrelated wrongful acts” provision that can effectively render timely notice requirements retroactive.  What this means for Policyholders is that you may have to give notice of a claim before it is made if it is related to claims that were previously made.  While policy language varies, one typical provision states, “[C]laims based upon or arising out of the same act, error or omission or related acts, errors or omissions shall be deemed to be a single claim . . . all such claims shall be deemed to be first made as of the date that the earliest of such Claims was first made.”  Paradigm Inc. Co. v. P&C Ins. Sys., 747 S. 2d 1040, 1042 (Fla. Dist. Ct. App. 2000).

When a claim is asserted against your company, it may be natural to assume that only the claims listed in a demand letter or complaint will be those that proceed in litigation.  However, it is common for a claimant to amend its claims and assert a new claim based upon the same set of facts that were originally alleged.  If the amended claims include claims against your company’s directors or officers or allegations that now trigger your D&O coverage, you may run into a coverage roadblock if you did not notify your D&O insurance company of the original statement of claim.  That is, the insurance company may take the position that you were required to give notice of a claim before that claim was actually made.

How can you protect your company from the potentially punishing application of the “interrelated wrongful acts” provision in a Directors and Officers insurance policy? 

Help Your Broker Spread a Wide Net When Reporting the Claim

When your company receives a claim, complaint or other demand, your immediate reflex may be to send a copy of that document to your broker so that “the appropriate” insurance companies may be notified.   Perhaps you direct your broker to notify “all appropriate insurance companies” and leave the decision on whom to notify entirely to your broker without providing the broker with all the necessary information.     

It is essential to provide all the information that may help your broker determine which policies are triggered and may be triggered.  That means sharing with your broker all of the information you have about the claim, including factual information about the claims, your company’s defenses and the general background facts that may not be contained in the demand.  If you do not provide all pertinent and potentially pertinent information to your broker, your broker may not realize that insurance policies other than the “obvious” ones may be triggered.

Indeed, it is those facts that may or may not be known or raised by the claimant at the initial pleading or demand stage that may cause the claimant to amend its demand to add additional claims.  If those newly asserted claims trigger coverage under your D&O insurance policies but you have not placed your D&O insurance company on notice of the initial demand – as opposed to the amended demand – you may be surprised to receive a denial from your insurance company on the basis that you failed to give timely notice.

Frank discussions with your trusted professionals about those “silent facts” can help you to avoid the pitfall of inadvertently failing to put all appropriate insurance companies on notice – not just those that may be the obvious choices based on the original demand or statement of claim.

Playing Games with the Policy Period

By projecting the start of a claim against your directors and officers back to the start of a prior and allegedly “related” claim, an insurance company may feel empowered not only to assert that the policyholder failed to provide timely notice but also that the claim occurred outside the policy period.

A typical notice provision requires notice “of any Claim as soon as practicable after the Company’s general counsel, risk manager, chief executive officer or chief financial officer (or equivalent positions) first becomes aware of such Claim, but in no event later than sixty (60) days after the end of the Policy Period.”

In the insuring agreement, the insurance company typically agrees to pay the loss for a “wrongful act” that takes place during the policy period.   A wrongful act may be defined as “any actual or alleged error, omission, misleading statement, misstatement, neglect, breach of duty or act negligently committed or attempted” by any Director or Officer while acting in their capacity.”

Consider the scenario in which you receive a demand from a claimant but decide not to give notice to your D&O insurance company because the demand does not clearly assert a claim against your Directors and Officers or a claim under the terms and conditions of the policy.  What happens if the claimants amend their initial demand a year or two later to allege new claims based upon the facts contained within the original demand? 

Even if the newly asserted claims fall within the policy period, if they arise out of the same set of facts as initially alleged, then the new claims, as one interrelated wrongful acts provision phrases it, may “be deemed to constitute a single Claim and shall be deemed to have been made at the earliest of the following times regardless of whether such date is before or during the Policy Period:  (a) the time at which the earliest Claim involving the same Wrongful Act or Interrelated Wrongful Act is first made; or (b) the time at which the Claim involving the same Wrongful Act or Interrelated Wrongful Act is first made.” 

If you become aware of a claim against your Directors and Officers after the end of the policy period, your insurance company may deny coverage because the claim was not reported during the policy period.  Even if you provide notice on a current policy promptly after becoming aware of a claim newly filed against your Directors and Officers, the insurance company may deem the claim to have occurred prior to the policy period, when the alleged “interrelated wrongful act” first occurred.

Further Steps To Avoid Late Notice Defenses

In addition to providing your broker with all relevant information when you receive notice of a claim, you can take further steps to avoid “interrelated wrongful acts” coverage defenses.  All of them involve understanding the claim against you as broadly as possible and casting the notice net as widely as possible.  They include: 

(1)     Have a candid discussion with your trusted counsel about the claims asserted, your company’s defenses, and claims that could be asserted based upon the facts as you know them to be.  This can help you understand the potential amendments to the stated claims and understand whether your Directors and Officers have potential liability down the road.

(2)    Communicate with your insurance broker — not only about the claim in question but about the scope of all your insurance policies.  Be sure that you understand the notice requirements in all of your insurance policies, particularly those policies that you may not initially consider to be triggered by a claim. 

(3)    Consult with trusted coverage counsel on the policy provisions regarding claims, notice and interrelated wrongful acts.  Understanding these provisions, including how courts have interpreted them, will assist you in evaluating the insurance coverage available for the claims asserted. 

(4)    When in doubt . . . notify.  Policyholders may be reluctant to notify insurance companies whose policies are not obviously triggered by a claim.  Factors motivating that reluctance to notify often include a belief that policy premiums will increase because of notice of a claim.  However, generally, notice only with no monies spent will not affect premium and on balance, even if the insurance company increases the policy premiums at renewal because of notice of a claim, generally that increase is small relative to the coverage that may be lost if notice is not given. 

(5)    Don’t keep your professionals in silos; let them talk to each other to fully protect your interests.  Your broker, defense counsel and coverage counsel should talk to one another to ensure all appropriate steps are taken.  

Read the claim, read the policy

Policyholders often fail to read their insurance policies until there is a loss.  However, the interrelated wrongful acts provision in many D&O insurance policies, combined with the notice requirements in those policies, highlights the importance of understanding the constraints your insurance policies may place on coverage if you decide not to provide notice of a claim.  One way to avoid inadvertently forfeiting coverage is by understanding the claims that are asserted – and those that could be asserted, as well as the notice and insuring agreement provisions in your insurance policies. 

About the Authors:  Pamela D. Hans is the managing shareholder of Anderson Kill’s Philadelphia office. Her practice concentrates in the area of insurance coverage exclusively on behalf of policyholders. Her clients include utilities, mining companies, home builders, non-profit organizations, ethanol producers, commercial lenders, and hog processors, whom she has represented in disputes with their insurance companies.  Ms. Hans can be reached at (267) 216-2720 or at phans@andersonkill.com. Terrence Tracy serves as Managing Director, Executive Vice President of Conner Strong & Buckelew, a leading insurance, risk management and employee benefits brokerage and consulting firm.  He leads the commercial insurance services operation.  Mr. Tracy can be reached at (267) 702-1458 or at ttracy@connerstrong.com.  Heather A. Steinmiller serves as Senior Vice President and General Counsel for Conner Strong & Buckelew.  In additional to her corporate responsibilities, Ms. Steinmiller provides support to the Commercial Lines Division.  She can be reached at (267) 702-1366 or at hsteinmiller@connerstrong.com.

 

 

 

alibaba2The year just completed was a banner year for IPOs in the U.S., with more companies completing their initial public offerings on U.S. exchanges in 2014 than in any year since 2000 (as detailed here). But as I have previously noted (here), with an increase in IPO activity comes the likelihood of IPO-related securities class action litigation. The largest IPO of them all during 2014 was the high-profile launch of Chinese e-commerce giant Alibaba, whose September 2014 initial public offering was the largest IPO ever. Given the size and high-profile nature of the Alibaba offering, it may have been inevitable that the company’s IPO might attract the attention of plaintiffs’ lawyers.

 

On January 30, 2014, an Alibaba shareholder launched a securities class action lawsuit against the company in the Southern District of New York. A copy of the shareholders’ complaint can be found here. The plaintiffs’ lawyers January 30 press release can be found here.

 

Alibaba completed its IPO listing its American Depositary Shares on the New York Stock Exchange on September 19, 2014. After the offering underwriters exercised their “greenshoe” option, the amount the company raised in the offering reached $25 billion, making it the largest IPO ever, and giving the company a market capitalization at the time of its IPO of $231 billion.

 

As reported in a front-page article in the January 29, 2015 Wall Street Journal (here), the prior day China’s State Administration for Industry and Commerce posted on its website a white paper accusing Alibaba of failing to crack down on the sale of fake goods, bribery and other illegal activity on its web sites.  The Journal article reports that Alibaba has long grappled with allegations that Taobao, its biggest e-commerce platform, is rife with counterfeit goods. Though the white paper was not posted on the agency’s website until last week, the Journal article reports that it was based on discussions the agency has been having with the company since July, prior to the company’s IPO.  In response, the company accused a senior official at a government agency of misconduct and threatened to file a formal complaint.

 

A January 30, 2015 Marketwatch article (here) reported that the SAIC  said in a statement late Friday that it met with Alibaba’s executive chairman, Jack Ma, on Friday, resulting in an agreement to tackle fakes and boost consumer protection online. Alibaba agreed to “actively cooperate” with the SAIC to strengthen investment capital and technology and expand its anticounterfeit measures, the statement said. Alibaba also agreed to routine inspections of products sold on its site, the statement said. According to a January 30, 2015 Wall Street Journal article (here), the company claimed that this arrangement with the SAIC represented a “vindication” for the company.

 

Meanwhile, while these details regarding the company’s dispute with the government agency were circulating, the company released its financial results for the year. According to a January 29, 2015 Wall Street Journal article (here), “profit fell 28% from a year earlier for the quarter ended Dec. 31, a drop it largely attributed to expenses from giving shares to employees. But investors focused on its revenue growth, which—while sizable—disappointed analysts.”

 

On January 30, 2015, a holder of the Alibaba ADSs filed a securities class action lawsuit in the Southern District of New York against the company and four of its directors and officers, including Jack Ma, the company’s founder and Chairman. According to the plaintiff’s lawyers’ January 30, 2015 press release, the Complaint alleges “Alibaba failed to disclose that Company executives had met with China’s State Administration of Industry and Commerce (“SAIC”) in July 2014, just two months before Alibaba’s $25+ billion initial public offering in the United States (the “IPO”), and that regulators had then brought to Alibaba’s attention a variety of highly dubious – even illegal – business practices.” The complaint alleges, among other things, that in the offering Ma and Joseph Tsai, the company’s co-founders, sold millions of the personal holdings in the company’s stock in the offering.

 

The press release also states that the complaint alleges that:

 

On January 28, 2015, before the opening of trading, various members of the financial media reported that SAIC had released a white paper accusing Alibaba of engaging in the very illegal conduct disclosed to Alibaba executives in July 2014.  On this news, the complaint alleges that the price of Alibaba ADSs declined unusually high trading volume.  Then, the complaint alleges, on January 29, 2015, before the market opened, Alibaba issued a press release announcing its financial results for the quarter ended December 31, 2014.  The complaint alleges that revenue growth missed the target defendants had led the investment community to expect and that profits declined 28% from Alibaba’s fourth quarter 2013 results.

 

The complaint alleges that as a result of these disclosures, the price of Alibaba ADSs plummeted further and collectively the two drops erased more than $11 billion in market capitalization from the ADSs Class Period high.

 

Interestingly, though the complaint makes numerous references to the company’s IPO, the complaint alleges violations only of Sections 10 and 20 of the ’34 Act. The complaint does not allege violations of Sections 11, 12, and 15 of the ’33 Act as would typically be expected in a complaint filed against a recent IPO company. Indeed, the class period that the complaint proposes does not even extend all the way back to the company’s September 19, 2014 IPO – the proposed class period commences on October 21, 2014. Although there is no way to know for sure, I am guessing that the complaint does not assert ’33 Act claims and does not propose a class period including the IPO date and immediately following period because, I suspect, the named plaintiff did not buy shares in the offering or immediately afterward, but only purchased shares on or about October 21, 2014, the beginning date of the purported class period. If that is the case, one would expect other claimants to come forward who did purchase shares in the IPO. NOTE: Several readers have suggested that even after the disclosures the company’s share price remained above the price at which the stock debuted, which would explain the absence of a ’33 Act claim.  

This new lawsuit against Alibaba is merely the latest example of a securities litigation filing trend that was apparent during 2014, largely as a result of the uptick of IPO activity in 2013 and 2014, and that has been the increase in IPO-related securities class action litigation. During 2014, there were 17 securities lawsuit filed against IPO companies, representing 10% of all filings during the year.

 

Given the increase in the number of IPOs during 2013 and 2014 and in light of the usual lag time between the IPO date and the date of lawsuit filings, it seems probable that there will continue to be significant numbers of filings in the months ahead involving IPO companies. Alibaba may have been the largest of the recent IPOs – indeed the largest of all time – but it only one of the over 280 companies that completed initial offering on the U.S. exchanges in 2014, following 225 companies that completed U.S. IPOs in 2013. With over 500 newly listed companies just in that two-year period, it seems likely that there will be more IPO-related securities suits to follow. The Alibaba lawsuit may be the first of a host of IPO-related lawsuits to be filed this year.

 

Alibaba’s Fee-Shifting Provisions:  The shareholder filed this lawsuit against Alibaba notwithstanding the fact that Alibaba has a fee-shifting provision in its Articles of Association. (Alibaba is organized under the laws of the Grand Caymans.) As discussed at length in a recent post on the Race to the Bottom blog (here), Alibaba’s charter has a provision requiring a shareholder who initiates a claim against the company who does not prevail in a judgment on the merits to reimburse the company for its fees and costs (including attorneys’ fees) incurred in connection with the claim. Whether or not this provision ultimately becomes relevant remains to be seen, but it would have to be expected that the company’s lawyers could attempt to rely on this provision, if, for example the defendants were to prevail on a motion to dismiss. The plaintiff and their attorneys would of course resist any such effort, and, among other things, would rely on the language of the provision that limits its effect “to the extent permitted by law” and undoubtedly would attempt to raise a number of arguments that the provisions cannot be enforced in connection with a claim under the federal securities laws. It will be interesting to see the extent to which these issues actually come into play in connection with or as a consequence of this lawsuit. NOTE: One alert reader has suggested that the term”shareholder” as used in the company’s charter provision does not include ADS holders.

 

Because Alibaba is organized under the laws of the Grand Caymans, the legislation pending in the Delaware legislature with respect to fee-shifting bylaws would be irrelevant, regardless of what the Delaware legislature may ultimately decide to do.